Posts
Gateway TLSv1.0 and TLSv1.1 Removal

Fri 17 November 2017

To increase security for transaction processing, CityPay is requiring TLS version 1.2 to connect. Clients may need to make changes to their payment infrastructure to meet the new security requirements. In
May 2015 CityPay announced support
of the Payment Card Industry Security Standards Council (PCI SSC) bulletin on migrating from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) on our gateway endpoints. Version 3.2 of the PCI Data Security Standard (DSS) was released in April 2016 and now requires all endpoints stop the use of SSL and early versions of TLS.

To ensure CityPay meets its compliance commitments for PCI, CityPay is requiring that all merchant integrations meet the following requirements by the specified date: Effective 28 January 2018, CityPay will disable the use of TLS version 1.0, 1.1 and require that secure connections to all CityPay production gateway use TLS version 1.2 encryption.

Upgrade Help

We currently have around 0.5% of traffic still using TLSv1.1 with the remainder using TLSv1.2, impact for each merchant may be non existent.

I am using the Merchant Control Panel Virtual Terminal, how will the change affect me?

If you are using the virtual terminal, ensure you are using the latest patched browser for your operating system. Most modern browsers such as Chrome, Safari, Firefox and Microsoft Edge will all automatically update and be the latest version. To confirm your browser, go to https://www.ssllabs.com/ssltest/viewMyClient.html and check that your browser has TLS 1.2 support.

For corporate networks, ensure you are using the latest browsers and that TLS 1.2 is enabled in active directory.

I am using PayPOST/CityPay API, how will the change affect me?

Your connection into our gateway will use an operating system or software component to perform the TLS handshake. For instance Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support.

To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018.

I am using Paylink version 2, how will the change affect me?

Paylink 2 requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice.

Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version.

I am using Paylink version 3, how will the change affect me?

Your connection into our gateway will use an operating system or software component to perform the TLS handshake to create the Paylink token. Your server will use components such as Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support.

To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018.

Paylink 3 also requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice.

Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version.

Which products are known not to work?

The following products will be deemed as end of life for connecting to CityPay's gateway services and upgrades will need to be ensured by the cut over date.